[ChuckMcM]

Exactly this. (and it is a false dichotomy to argue infinite liability).

To Terr_'s point, if you were publishing open source you would also publish exactly the things you intended it to be used for and anything else would violate your warranty (possibly implied) that it does what the documentation says it does.

There is a huge amount of tort law that covers exactly when it becomes a problem for you the creator vs you the user in your own project. And that liability is also based on once you know something bad could happen you make an effort to notify people[1].

[1] https://www.cpsc.gov/Newsroom/News-Releases/2026/Clorox-Agre...

[Ajedi32]

Software can be copied infinitely, so even $1 of liability is effectively infinite since an unlimited number of people can potentially use it and sue you when it blows up.

Nobody's going to be distributing software on the internet for free if the cost of insurance alone precludes that.

[ChuckMcM]

This is not how liability works, anywhere. So I write a piece of code that "makes your screen do cool things" and it causes the power supply to fail on those screens. Someone reports that bug to me and I check it out and say "Oh, shit it does break power supplies." Then I immediately put a notice on and in the code that says "WARNING: This code will break the power supply of your montitor." And I put that warning in the repo. And if there is a Discord or a mailing list I tell everyone "Hey, this is important, if you run this code it can break your monitor."

Guess what, I'm not liable for the damage. Why? Because I immediately responded once I knew that it could, I made a good effort to warn people who might already have the code of the risk, and I made it clear in the code that this risk is there.

Ever wonder why you get a booklet of warnings when you buy a product with even really stupid things like "Don't clean with gasoline" warnings? That's because once you have discharged your duty to warn you are not longer liable in what happens if someone ignores your warning.

The flip side is also true, you cannot say in your product both "Hey this product does these cool things" and "We don't warrant the product to actually do anything." This is especially true if there is money involved (like your user paid your some $ for the product.) There is always an implied warranty that the thing will do what you says it will do, which exists as long as the user has heeded all your warnings.

[fc417fc802]

I broadly agree with you but TBF to the earlier comment consider what would happen if a FOSS author did something wrong and was found to be liable. How about curl for example? That sees use in car infotainment systems among other things and cars can be pretty expensive and there sure are an awful lot of them. The point is that we should be able to accommodate someone pushing a hobby project to github under a permissive license while also imposing liability against developers in instances where money changes hands or where someone's work involves interacting with the physical world.

[trumpdong]

The EU CRA handles this by putting liability on someone who integrates FOSS into a product instead of someone who wrote it. Because it doesn't make sense to put liability for unforeseen downstream uses on someone who gave away something they made in their spare time. Now, if it was a virus, you're still liable for distributing a virus.

[Ajedi32]

Yes, when you're selling a product you can price the risk of lawsuits into whatever you're charging customers. You can't do that with free software without making it no longer free.

"No problem: just don't get sued" only works if legal battles are free and/or the law makes it so blatently obvious that you're not liable that nobody would bother to try.

[ChuckMcM]

I realize this is drifting off topic, and happy to talk more in email (address in profile), in the interest of sharing a bit more, consider this statement you paraphrase:

"a FOSS author did something wrong and was found to be liable"

In fairness, I not sure the earlier commentator really understood what they were saying, at least not as far as legal liability is concerned.

The FOSS author simply wrote some code and shared it right? That is their 'action' can you think of ways that does direct harm, which is to say they published their code, and with nothing else happening someone got harmed? One way that can cause harm is the FOSS author publishes a trade secret[1] or access credentials of a third party. In both cases they could (and would) be sued by that third party. But absent that, I'm having a hard time coming up where simply the existence of most code causes someone else harm.

So to get to harm we have to add another person, that person somehow applies the code, and in that application harms another person. Our FOSS author might be sued as being contributory because the person who caused harm might not have done so if they didn't have access to the code. To prove that, the plaintiff would have to prove that the FOSS author knew that the code could cause harm if used in this way, and encouraged or otherwise abetted the person who did harm to use it in doing the harm. That can be a hard standard to reach[2].

In your car example, it would be challenging to prove that Daniel Stenberg wrote curl so that you could use it to brick car infotainment systems. But it would be easier to prove that a manufacturer that incorporated FOSS code and didn't check their system for risks like this should be found liable.

Liability accrues first to the party that did the action. Secondary liability can reach out to suppliers[3] of things used in that action. This is also civil law rather than criminal law and so it works a bit differently in terms of evidence standards and penalties.

[1] We can make a joke here about badly formatted code, but hopefully we're in a agreement so far. A real example was the DVD decoding software that included the key for decoding encrypted DVDs.

[2] Not that people might not try, its too easy to sue. There have been cases where someone wrote some code that was later used in a weapon (and example might be Ardupilot software in drones used to kill Russians). But even in that case, the courts in the US at least have consistently found that if it is not the primary purpose of the software to do harm, then the author is not liable.

[3] Unless you're a gun company as Gun companies have managed to keep themselves from being found liable for people using their guns to do harm. But there is also lots of interesting case law there too which might help inform.

[fc417fc802]

That's a really good point. Where I remain at least somewhat concerned is for example suppose that one day curl pushes a terrible bug to production that results in all sorts of nasal demons flying out of client devices. Is this free code that was picked up off the side of the road thus zero liability? Or is this a trusted product written and maintained by a professional that has stood the test of time thus there might be liability because there's an assumption that official updates will be fit for purpose?

Now if I were running a small business I might choose not worry about the tail risk of my product causing a few million dollars in harm or (more likely) I'd have insurance to cover that. But someone tossing code along the side of the road presumably doesn't have (and doesn't want to think about) insurance and meanwhile the tail risk has become nearly unbounded thanks to the effectively arbitrary number of deployed instances.

I think there's also some benefit to having a big fat NO WARRANTY clause at the top of the license file because it might give you a better chance of a summary dismissal (or even deter the other party from trying in the first place) since as we all know the process itself can be ruinous even if you eventually prevail.

Which is all to say that I share your view. Willingly negligent vendors that cut costs by omitting security while viewing the resultant mishaps as an inescapable reality ought to be held accountable. But I think it would also be a good idea to add an official exemption for software that's made available free of charge. It seems like if you pick something up off the side of the road any mishaps that follow from that should necessarily fall to you.

[aleqs]

There's a pattern I noticed, especially on this site, where people claim various VC/ad/tech dark patterns, enshitification, privacy violations, dishonest marketing, etc MUST be allowed, otherwise open source or 'the internet' will face some sort of existential risk.

No bro - open source and the internet existed long before SV tech parasitism did and will exist long after.

[ChuckMcM]

I don't disagree, that pattern exists, but it is essentially true. Just not in the way the folks saying it is true understand it. If the "VC/ad/tech dark patterns, enshitification, privacy violations, dishonest marketing, Etc." wasn't allowed then their job might not exist. That can be true. What is missed is that if there is value in the thing, then it will exist.

When I reflect back to someone making this argument by saying, "So your argument is that you make your living as a pick pocket, but if pick pocketing is made to be illegal, you won't be able to make a living." Which of course would only be true if they only thing they could do was 'be a pick pocket'. Its a very common rhetorical technique to argue that the status quo cannot be changed. All the arguments that "you'll put all coal miners out of business if you require only green energy" And yet the people, the miners themselves, will likely be fine. The firms might not, but there are other firms that could exist.

This isn't a new problem, or one specific to this web site, although it does get disproportionately hit because so many technology companies saw what Google started in the 2000's and said, "Man there is soooo many ways to get money for this." rather than, "Is this a reasonable way to make money? Sure it is 'perfectly legal' but is it right? Is it moral?" The type of person who thinks that something is "Only illegal if you get caught" is neither moral nor particularly concerned about what is right. And we got a lot of that type.

[oenton]

"Its a very common rhetorical technique to argue that the status quo cannot be changed."

Thank you for putting this so eloquently into words. This rigid thinking is also common in topics such as working conditions, collective bargaining, on-call time, parental leave, healthcare, and effectively (unintentionally or not) shuts down conversation.

I've come to realize the objections from people who think this way all effectively boil down to 'Be grateful for what you have because any alternative would be worse.' But if you pry and ask that they expand you'll find there really isn't any there there, because it's black and white thinking. It isn't rooted in fact, it comes from fear. I sure hope we haven't collectively forgot how to even imagine a system that functions better than the one we have today.

[ChuckMcM]

Thanks. For me, I was in debate club in High School and that included basic rhetoric. In college I took an argumentation class as a non-engineering elective. The most useful thing this class taught (for me) is how to 'see' the argument, and as a consequence see how it is constructed. Throughout my career it has been especially useful in "political" situations at work. Not everyone argues in good faith, and being able to spot those who are not is valuable.

[Terr_]

With respect to the need/impossibility of change, the "Politician's Fallacy" seems related:

1. Something must be done.

2. This is something.

3. Therefore this must be done!

[aleqs]

Very well put.